b' FEDERAL ELECTION COMMISSION \n\n\n  OFFICE OF INSPECTOR GENERAL \n\n\n\n\n\n            FINAL REPORT \n\n\nAudit of the Federal Election Commission\xe2\x80\x99s \n\n  Fiscal Year 2008 Financial Statements \n\n\n\n\n\n             November 2008 \n\n\n        ASSIGNMENT No. OIG-08-01 \n\n\x0c                              Table of Contents\n\nTransmittal Memorandum\n\n\nIndependent Auditor\xe2\x80\x99s Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa61\n\nIndependent Auditor\xe2\x80\x99s Report on Internal Control Over Financial Reporting\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa63\n\nIndependent Auditor\xe2\x80\x99s Report on Compliance and Other Matters.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6..20\n\x0c                   FEDERAL ELECTION COMMISSION\n                   WASHINGTON, D.C. 20463\n                   Office of Inspector General\n\n\n\n\nMEMORANDUM\n\nTO:    \t       The Commission\n\nFROM:          \tInspector General\n\nSUBJECT: \t     Audit of the Federal Election Commission\xe2\x80\x99s Fiscal Year 2008 Financial\n               Statements\n\nDATE: \t        November 12, 2008\n\n\nPursuant to the Chief Financial Officers Act of 1990, commonly referred to as the \xe2\x80\x9cCFO\nAct\xe2\x80\x9d, as amended, this letter transmits the Independent Auditor\xe2\x80\x99s Report and\naccompanying Independent Auditor\xe2\x80\x99s Reports on Internal Control and Compliance and\nOther Matters issued by Clifton Gunderson (CG-LLP) for the fiscal year ending\nSeptember 30, 2008. The audit was performed under a contract with and monitored by\nthe Office of Inspector General (OIG) in accordance with the auditing standards\ngenerally accepted in the United States of America; the standards applicable to financial\naudits contained in Government Auditing Standards, issued by the Comptroller General\nof the United States; and, applicable provisions of Office of Management (OMB)\nBulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended.\n\nOpinion on the Financial Statements\n\nThe consolidated balance sheets of the Federal Election Commission (FEC) as of\nSeptember 30, 2008 and 2007 and the related statements of net cost, changes in net cost,\nchanges in net position, and combined statement of budgetary resources for the years\nthen ended (hereinafter collectively referred to as the \xe2\x80\x9cfinancial statements\xe2\x80\x9d) were\naudited. The audit included an examination, on a test basis, of evidence supporting the\namounts and disclosures in the financial statements. The audit also included assessing\nthe accounting principles used and significant estimates made by management, as well as\nevaluating the overall principal statements\xe2\x80\x99 presentation.\n\nThe CG-LLP Independent Auditor\xe2\x80\x99s Report concluded that the FEC\xe2\x80\x99s financial\nstatements present fairly, in all material respects, the financial position of the FEC as of\nSeptember 30, 2008 and 2007, and its net cost, changes in net position, budgetary\nresources, and custodial activity for the years then ended in conformity with accounting\nprinciples generally accepted in the United States of America.\n\x0cReport on Internal Control\n\nCG-LLP\xe2\x80\x99s planning and performance of the audit included consideration of the FEC\xe2\x80\x99s\ninternal control over financial reporting as a basis for designing audit procedures for the\npurpose of expressing an opinion on the financial statements and to comply with OMB\nBulletin 07-04, as amended, but not for the purpose of expressing an opinion on the\neffectiveness of FEC\xe2\x80\x99s internal control over financial reporting. The auditors did not test\nall internal controls relevant to operating effectiveness as broadly defined by the Federal\nManagers\xe2\x80\x99 Financial Integrity Act (FMFIA) (31 U.S.C. 3512), such as those controls\nrelevant to ensuring efficient operations. Consequently CG-LLP did not express an\nopinion on the agency\xe2\x80\x99s internal control over financial reporting.\n\nThe American Institute of Certified Public Accountants (AICPA) established standards\non communicating deficiencies related to internal control over financial reporting\nidentified by the auditors. As defined by the AICPA, a control deficiency exists when\nthe design or operation of a control does not allow the agency\xe2\x80\x99s management or its\nemployees, in the normal course of performing their assigned duties, to prevent or detect\nmisstatements on a timely basis.\n\nAuditors determine whether an internal control deficiency is a significant deficiency or a\nmaterial weakness based on the factors of likelihood and magnitude. A significant\ndeficiency is a control deficiency, or combination of control deficiencies, that adversely\naffects the agency\xe2\x80\x99s ability to initiate, authorize, record, process, or report financial data\nreliability in accordance with generally accepted accounting principles such that there is\na more than a remote likelihood that a misstatement of the agency\xe2\x80\x99s financial statements\nthat is more than inconsequential will not be prevented or detected by the agency\xe2\x80\x99s\ninternal controls. A material weakness is a significant deficiency, or combination of\nsignificant deficiencies, that results in more than a remote likelihood that a material\nmisstatement of the financial statements will not be prevented or detected by the\nagency\xe2\x80\x99s internal controls.\n\nCG-LLP identified a significant deficiency in the area of:\n         \xe2\x80\xa2 Information Technology (IT)\n\nCG-LLP identified a material weakness in the area of:\n         \xe2\x80\xa2 Financial Accounting and Reporting Controls\n\nReport on Compliance and Other Matters\n\nFEC management is responsible for complying with laws and regulations applicable to\nthe agency. To obtain reasonable assurance about whether FEC\xe2\x80\x99s financial statements\nare free of material misstatements, CG-LLP performed tests of compliance with certain\nprovisions of laws and regulations, non-compliance which could have a direct and\nmaterial effect on the determination of financial statement amounts, and certain other\nlaws and regulations specified in OMB Bulletin No. 07-04, as amended. Tests of\n\n\n                                              2\n\n\x0ccompliance were limited to these provisions and CG-LLP did not test compliance with all\nlaws and regulations applicable to FEC.\n\nThe results of CG-LLP\xe2\x80\x99s tests of compliance with laws and regulations described in the\naudit report disclosed an instance of reportable noncompliance that is required to be\nreported under U.S. generally accepted government auditing standards or OMB guidance.\n\nCG-LLP identified a reportable noncompliance in the area of:\n         \xe2\x80\xa2 The Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA)\n\nAudit Follow-up\n\nThe report on internal control contains recommendations to address weaknesses found by\nthe auditors. Management was provided a draft copy of the audit report for comment and\ngenerally concurred with the findings and recommendations. In accordance with OMB\nCircular No. A-50, Audit Follow-up, revised, the FEC\xe2\x80\x99s corrective action plan is to set\nforth the specific action planned to implement the recommendations and the schedule for\nimplementation. The Commission has designated the Chief Financial Officer to be the\naudit follow-up official for the financial statement audit.\n\nOIG Evaluation of Clifton Gunderson LLP\xe2\x80\x99s Audit Performance\n\nWe reviewed CG-LLP\xe2\x80\x99s reports and related documentation and made necessary inquiries\nof its representatives. Our review was not intended to enable the OIG to express, and we\ndo not express, an opinion on the FEC\xe2\x80\x99s financial statements, provide conclusions about\nthe effectiveness of internal control or conclusions on FEC\xe2\x80\x99s compliance with laws and\nregulations. However, the OIG review disclosed no instances where CG-LLP did not\ncomply, in all material respects, with Government Auditing Standards.\n\nWe appreciate the courtesies and cooperation extended to Clifton Gunderson LLP and the\nOIG staff during the audit. If you should have any questions concerning these reports,\nplease contact my office on (202) 694-1015.\n\n\n\n\n                                                   Lynne A. McFarland\n                                                   Inspector General\n\nAttachments\n\nCc: \t   Acting Staff Director\n        General Counsel\n        Acting Chief Financial Officer\n        Chief Information Officer\n        Accounting Officer\n\n                                           3\n\n\x0c                                  Independent Auditor\xe2\x80\x99s Report\n\n\nTo the Inspector General of the\n Federal Election Commission\n\n\nWe have audited the balance sheets of the Federal Election Commission (FEC) as of\nSeptember 30, 2008 and 2007, and the related statements of net cost, changes in net position,\nbudgetary resources, and custodial activity for the years then ended (hereinafter collectively\nreferred to as the \xe2\x80\x9cfinancial statements\xe2\x80\x9d). These financial statements are the responsibility of\nFEC\xe2\x80\x99s management. Our responsibility is to express an opinion on these financial statements\nbased on our audits.\n\nWe conducted our audits in accordance with auditing standards generally accepted in the\nUnited States of America; the standards applicable to financial audits contained in Government\nAuditing Standards, issued by the Comptroller General of the United States; and Office of\nManagement and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial\nStatements, as amended. Those standards require that we plan and perform the audit to obtain\nreasonable assurance about whether the financial statements are free of material misstatement.\nAn audit includes examining, on a test basis, evidence supporting the amounts and disclosures\nin the financial statements. An audit also includes assessing the accounting principles used and\nsignificant estimates made by management, as well as evaluating the overall financial\nstatements\xe2\x80\x99 presentation. We believe our audits provide a reasonable basis for our opinion.\n\nIn our opinion, the financial statements referred to above present fairly, in all material respects,\nthe financial position of FEC as of September 30, 2008 and 2007, and its net cost, changes in\nnet position, budgetary resources, and custodial activity for the years then ended in conformity\nwith accounting principles generally accepted in the United States of America.\n\nIn accordance with Government Auditing Standards, we have also issued our reports dated\nNovember 7, 2008 on our consideration of FEC\xe2\x80\x99s internal control over financial reporting, and on\nour tests of FEC\xe2\x80\x99s compliance with certain provisions of laws and regulations and other matters.\nThe purpose of those reports is to describe the scope of our testing of internal control over\nfinancial reporting and compliance and the results of that testing, and not to provide an opinion\non the internal control over financial reporting or on compliance. Those reports are an integral\npart of our audit performed in accordance with Government Auditing Standards and should be\nconsidered in assessing the results of our audit.\n\nThe information in the Management\xe2\x80\x99s Discussion and Analysis section is not a required part of\nthe financial statements, but is supplementary information required by accounting principles\ngenerally accepted in the United States of America. We have applied certain limited procedures,\nwhich consisted principally of inquiries of management regarding the methods\n\n\n\n11710 Beltsville Drive\nSuite 300\nCalverton, MD 20705-3106\ntel: 301-931-2050\nfax: 301-931-1710                                   1\nwww.cliftoncpa.com                  Offices in 17 states and Washington, DC\n\x0cof measurement and presentation of this information. However, we did not audit this information\nand, accordingly, we express no opinion on it.\n\nOur audits were conducted for the purpose of forming an opinion on the financial statements\ntaken as a whole. The information in the Message from the Chairman, Performance Section,\nand Other Accompanying Information is presented for purposes of additional analysis and is not\nrequired as part of the financial statements. This information has not been subjected to auditing\nprocedures and, accordingly, we express no opinion on it.\n\n\n\n\nCalverton, Maryland \n\nNovember 7, 2008 \n\n\n\n\n\n                                               2\n\n\x0c          Independent Auditor\xe2\x80\x99s Report on Internal Control Over Financial Reporting\n\n\nTo the Inspector General of the\n    Federal Election Commission\n\nWe have audited the financial statements of the Federal Election Commission (FEC) as of and\nfor the year ended September 30, 2008 and have issued our report thereon dated\nNovember 7, 2008. We conducted our audit in accordance with the auditing standards generally\naccepted in the United States of America; the standards applicable to financial audits contained\nin Government Auditing Standards, issued by the Comptroller General of the United States;\nand, applicable provisions of Office of Management and Budget (OMB) Bulletin No.\n07-04, Audit Requirements for Federal Financial Statements, as amended.\n\nThe management of FEC is responsible for establishing and maintaining internal control to\nachieve the objectives of effective and efficient operations, and reliable financial reporting. In\nplanning and performing our audit, we considered FEC\xe2\x80\x99s internal control over financial reporting\nas a basis for designing our audit procedures for the purpose of expressing our opinion on the\nfinancial statements and to comply with OMB Bulletin 07-04, as amended, but not for the\npurpose of expressing an opinion on the effectiveness of FEC\xe2\x80\x99s internal control over financial\nreporting. We did not test all internal controls relevant to operating effectiveness as broadly\ndefined by the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) (31 U.S.C. 3512), such as\nthose controls relevant to ensuring efficient operations. Accordingly, we do not express an\nopinion on the effectiveness of FEC\xe2\x80\x99s internal control over financial reporting.\n\nOur consideration of internal control over financial reporting was for the limited purpose\ndescribed in the preceding paragraph and would not necessarily identify all deficiencies in\ninternal control over financial reporting that might be significant deficiencies or material\nweaknesses. As discussed below, we identified certain deficiencies in internal control over\nfinancial reporting that we consider to be a material weakness and a significant deficiency.\n\nA control deficiency exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to\nprevent or detect misstatements on a timely basis. A significant deficiency is a control\ndeficiency, or combination of control deficiencies, that adversely affect the entity\xe2\x80\x99s ability to\ninitiate, authorize, record, process, or report financial data reliability in accordance with\ngenerally accepted accounting principles such that there is more than a remote likelihood that a\nmisstatement of the entity\xe2\x80\x99s financial statements that is more than inconsequential will not be\nprevented or detected by the entity\xe2\x80\x99s internal control. We consider the deficiency in Information\nTechnology described below to be significant deficiency in internal control over reporting.\n\nA material weakness is a significant deficiency, or combination of significant deficiencies, that\nresults in more than a remote likelihood that a material misstatement of the financial statements\nwill not be prevented or detected by the entity\xe2\x80\x99s internal controls.\n\n\n11710 Beltsville Drive\nSuite 300\nCalverton, MD 20705-3106\ntel: 301-931-2050\nfax: 301-931-1710                            Page 1 of 17\nwww.cliftoncpa.com               Offices in 17 states and Washington, DC\n\x0cOur consideration of the internal control over financial reporting was for the limited purpose\ndescribed in the second paragraph of this section and would not necessarily identify all\ndeficiencies in the internal control that might be significant deficiencies and, accordingly, would\nnot necessarily disclose all significant deficiencies that are also considered to be material\nweakness. However, we believe that the significant deficiency in Financial Accounting and\nReporting Controls described below is a material weakness.\n\n                                *************************************\n\nMATERIAL WEAKNESS\n\nI.     Financial Accounting and Reporting Controls (Repeat Modified Finding)\n\n       The Accountability of Tax Dollars Act of 2002 (ATDA) extends to FEC a requirement to\n       submit to the Congress and the Director of the Office of Management and Budget (OMB)\n       audited financial statements. OMB Circular A-136, Financial Reporting Requirements,\n       defines the form and content of financial statements to be prepared by the agency. To\n       accomplish the objective of complying with the ATDA, the agency is required to develop\n       a system to prepare a complete set of financial statements on a timely basis in\n       accordance with generally accepted accounting principles. The statements are to result\n       from an accounting system that is an integral part of an integrated financial management\n       system containing sufficient structure, effective internal control and reliable data.\n       Financial reporting also consists of policies and procedures related to the processing\n       and summarizing of accounting entries, and the preparation of financial statements.\n\n       Below are descriptions of the control deficiencies within FEC\xe2\x80\x99s financial reporting\n       environment:\n\n       A. Insufficient Resources and Personnel w \t ith Appropriate Federal Accounting\n          and Reporting Skill Sets (New Finding)\n\n           FEC did not have adequate resources and employees with appropriate skills sets to\n           handle financial management accounting and reporting. There was turnover in key\n           financial positions during the year and adequate resources were not always available\n           to fill the vacancies. For example, the staff accountant position has been vacant\n           since March 2008. This position is responsible for performing monthly reconciliations\n           and calculating accrual and property, plant and equipment amounts reported on the\n           financial statements. FEC has not developed a program to cross train other Office of\n           Chief Financial Officer (OCFO) personnel in performing these tasks and contractors\n           hired to perform some of these duties were done so intermittently throughout the\n           year. As a result, the Accounting Officer had to take on some of these responsibilities\n           leaving FEC with insufficient resources to effectively administer quality assurance\n           procedures within their financial reporting environment.\n\n           This deficiency was aggravated by the migration of the agency\xe2\x80\x99s accounting and\n           financial reporting operations to a service provider during FY 2008. FEC\xe2\x80\x99s\n           understanding of key processes, controls and reports utilized by the service provider\n           is on-going and was not obtained timely enough to adequately assess associated\n           control risks and develop or redesign internal controls to mitigate those risks. These\n           deficiencies are key factors in many of the weaknesses in financial reporting as\n           described further in this report.\n\n\n                                           Page 2 of 17\n\x0c   GAO Standards for Internal Control in the Federal Government states \xe2\x80\x9cPeople are\n   what make internal control work. The responsibility for good internal controls rests\n   with all managers. Management sets the objectives, puts the control mechanisms\n   and activities in place, and monitors and evaluates the control. However, all\n   personnel in the organization play important roles in making it happen\xe2\x80\x9d. Moreover,\n   \xe2\x80\x9cAll personnel need to possess and maintain a level of competence that allows them\n   to accomplish their assigned duties, as well as understand the importance of\n   developing and implementing good internal control. Management needs to identify\n   appropriate knowledge and skills needed for various jobs and provide needed\n   training, as well as candid and constructive counseling, and performance appraisals.\xe2\x80\x9d\n\n   The need for employees with analytical and federal accounting and reporting\n   competencies will only increase as FEC further integrates its financial management\n   system. Without the adequate staffing levels and the proper skill sets, the FEC will\n   continue to encounter challenges in the financial reporting process including\n   preparing financial reports in a timely manner, and consistent with applicable laws\n   and regulations.\n\n   Recommendations:\n\n   1. \tFill vacant positions within the OCFO as soon as possible. Ensure that the\n       individuals possess analytical, Federal accounting and financial reporting\n       knowledge and experience to enhance the FEC\xe2\x80\x99s ability to comply with\n       accounting and financial reporting standards.\n\n   2. \t Evaluate the resources and appropriate skills needed throughout the agency to\n        meet FEC\xe2\x80\x99s financial management and reporting responsibilities and implement a\n        plan on achieving the results and recommendations of the evaluation.\n\n   3. \t Ensure that appropriate and on-going training is provided to FEC employees on\n        federal accounting and reporting and the accounting service provider\xe2\x80\x99s financial\n        system. Also, ensure OCFO personnel are properly cross-trained in department\n        activities.\n\n   Management Response:\n\n   Management generally concurs with the finding and recommendations. FEC\n   management is committed to improving its internal control and accordingly, will\n   develop a corrective action plan to address the issues identified.\n\nB. Inadequate Financial Statement Preparation and Reporting (Modified Repeat\n   Finding)\n\n   OMB Circular A-136, Financial Reporting Requirements, \xe2\x80\x9cpreparation of the annual\n   financial statements is the responsibility of the agency\xe2\x80\x99s management. In carrying out\n   this responsibility, each agency chief financial officer should prepare a policy bulletin\n   or guidance memorandum that guides the agency\xe2\x80\x99s fiscal and management\n   personnel in the preparation of the annual financial statements.\xe2\x80\x9d The existence of\n   written procedures will provide structure and accountability for the financial\n\n\n\n                                   Page 3 of 17\n\x0cstatements preparation and review processes. They also help ensure activities are\ncarried out in accordance with management directives.\n\nOur audit disclosed the following control deficiencies in FEC\xe2\x80\x99s financial statement\npreparation and reporting process. Many of these deficiencies were identified during\nthe prior year audit. FEC\xe2\x80\x99s audit follow-up process was ineffective in resolving these\ndeficiencies in a timely manner.\n\n\xe2\x80\xa2\t FEC did not have a comprehensive policy bulletin or guidance memorandum as\n   required by OMB Circular A-136. The lack of formalized policies and procedures\n   is a contributing factor for the additional control deficiencies described below.\n\n\xe2\x80\xa2\t Accounting entries recorded in the accounting system or posted to the financial\n   statements as \xe2\x80\x9con-top\xe2\x80\x9d adjustments were not reviewed timely by FEC or the\n   review was not independently performed by someone other than the preparer.\n   Other controls in place such as management\xe2\x80\x99s review of the financial statements\n   were ineffective in detecting incorrect accounting entries made by the service\n   provider. Further, an audit trail supporting the entry was not properly maintained.\n   Lack or inadequate internal control increases the risk of financial statement\n   misstatements. Our audit identified accounting posting errors related to the\n   following transactions:\n\n   \xc2\xbe\t The June 30, 2008 financial statements improperly included:\n            o\t $1.5 million in accrued payroll costs;\n            o\t $769,314 in advanced payments to GSA;\n            o\t $41,530,546 in budget authority temporarily unavailable during the\n                continuing resolution period; and\n            o\t Accrued employer contributions and payroll taxes costs.\n\n   \xc2\xbe\t The Draft September 30, 2008 financial statements provided included:\n            o\t Approximately $2.6 million of collections from custodial activity in\n                 Fund Balance with Treasury and the Custodial Liability line items\n                 on the Balance Sheet improperly; and\n            o\t Adjustments made by the service provider to the trial balance,\n                 after conversion, which impacted the Statement of Budgetary\n                 Resources for Expired Allotments were not sufficiently\n                 documented.\n\n\xe2\x80\xa2\t FEC has not established a formalized timeline for completing key processes and\n   controls related to the financial statement process. For example, we noted that\n   the Finance Office Checklist detailing month end closing and financial statement\n   preparation procedures was not prepared throughout the year. Furthermore,\n   control activities, such as fluctuation analysis and relationship testing, were not\n   finalized until after the financial statements were issued to the auditors for audit.\n\n\xe2\x80\xa2\t A mechanism for tracking manual accounting entries sent to the service provider\n   was not developed, which prevented FEC from being able to verify accounting\n   entries were posted as intended or properly.\n\n\n\n\n                               Page 4 of 17\n\x0cAs a result of the control deficiencies noted above, the financial statements provided\nfor audit contained many inconsistencies, errors and typos throughout the document.\nWe also noted that the financial statements provided were inconsistent with the\nguidance issued by OMB Circular A-136. Although the FEC has corrected all the\nitems identified through the audit process, adequate controls were not in place to\nsufficiently detect such mistakes in a timely manner.\n\nRecommendations:\n\n4. \tFormalize and periodically update policies and procedures to a) ensure\n    segregation of duties, b) provide guidance to management and staff in recording\n    both recurring and unique transactions, including budgetary accounts, and c)\n    provide guidance to management and staff in executing the financial statement\n    preparation process in a manner that enhances the timeliness of financial\n    statement preparation and minimizes the risk of preparing inaccurate financials.\n\n5. \t Implement control activities to help ensure accounting transactions are recorded\n     correctly, timely and are properly reviewed and adequate support documentation\n     is maintained. Some of these control activities should include, but not be limited\n     to:\n\n   \xe2\x80\xa2\t Improving analytical and quality control review of journal vouchers,\n      reconciliations and the financial statements, including interim financial\n      statements. Procedures should include independent supervisory review of\n      controls performed by someone other than the preparer.\n   \xe2\x80\xa2\t Developing management\xe2\x80\x99s expectations for fluctuation analysis, which\n      includes setting the criteria for variances considered significant. Each\n      expectation that is not met should be researched and results collaborated by\n      data. Analytical tools that could be used are ratio analysis and trend analysis,\n      as well as predictive techniques such as calculation of an expected balance.\n      Results should be documented and maintained for management review and\n      audit purposes.\n   \xe2\x80\xa2\t Implementing proper and timely cut-off controls from processing transactions\n      and in preparing the financial statements to allow for management\xe2\x80\x99s timely\n      analysis of financial data and for audit purposes.\n   \xe2\x80\xa2\t Researching the accounting treatment of unique and non-reoccurring\n      transactions and seeking specific guidance from accounting standard-setters\n      from the beginning to ensure the recording of such events are properly\n      included in the financial statement account balances and to ensure accuracy\n      and transparency of financial accountable events.\n\n6. Establish\n   \t           formalized policies and procedures for performing continuous\n   assessment of risk factors associated with financial reporting, evaluating relevant\n   controls and developing or redesigning controls to mitigate risks. These policies\n   should include a well-defined documentation process that contains an audit trail,\n   verifiable results, and specify retention periods so that someone not connected\n   with the procedures can understand the assessment process.\n\n7. \t Enforce the use of the Finance Office Check List throughout the entire fiscal\n     year.\n\n\n\n                               Page 5 of 17\n\x0c   8. \t Establish a mechanism for tracking manual journal entries sent to the service\n        provider and maintaining associated support documents.\n\n   9. \t Develop or redesign controls that strengthen the accountability structure related\n        to the process for resolving audit findings\n\n   Management Response:\n\n   Management generally concurs with the finding and recommendations. FEC\n   management is committed to improving its internal control and accordingly, will\n   develop a corrective action plan to address the issues identified.\n\nC. Integrate Financial Management System (Modified Repeat Finding)\n\n   FEC utilizes the general ledger and core financial management system (general\n   ledger system) of its accounting service provider. The general ledger system is not\n   capable of generating most user reports for data analysis on a real time basis. Users\n   have to request from the accounting service provider some basic reports, which are\n   generated by another software application.\n\n   Other financial management systems used at FEC include excel spreadsheets,\n   database applications, and PeopleSoft (PS). These systems are used to accumulate\n   and summarize data for the following financial transactions, all of which are material\n   to FEC\xe2\x80\x99s financial statements:\n\n      \xe2\x80\xa2\t Collections, Accounts Receivable, and Custodial Liability specific to Fines\n         and Penalties;\n      \xe2\x80\xa2\t Property and equipment, accumulated depreciation, and depreciation\n         expense;\n      \xe2\x80\xa2\t Obligations; and\n      \xe2\x80\xa2\t Payroll and time attendance reporting.\n\n   None of these FEC financial management systems are interfaced with the general\n   ledger system. OMB Circular No. A-127, Financial Management Systems, requires\n   that each agency establish and maintain a single integrated financial management\n   system. Without a single integrated financial management system to ensure timely\n   and accurate financial data, poor policy decisions may occur due to inaccurate or\n   untimely information. Managers are less likely to be able to report accurately to the\n   President, Congress, and the public on Government operations in a timely manner.\n   And, scarce resources are more likely to be directed toward the collection of\n   information rather than to delivery of the intended programs.\n\n   As a result of these systems not being integrated, significant time is required to\n   compile the information. In addition to gathering the data from the offices, the OCFO\n   manually incorporates the information into each stand alone system in order to\n   generate the necessary documentation to support the balances reported on the\n   financial statements. For example, the OCFO must request accounts receivable\n   information from three divisions since there is no mechanism in place to\n   automatically notify the OCFO that a fine or penalty was assessed. After the OCFO\n   obtains the relevant information, which may not always be received in a timely\n\n\n\n                                  Page 6 of 17\n\x0cmanner, the data is keystroked into a database. A journal entry is prepared for\nsubmission to the service provider to record the details into the accounting system.\nGiven the number of times the information is separately recorded into different\nsystems, there is an increased risk for input error. A monthly reconciliation is\nperformed of the accounts receivable, however, without the staff accountant, as\nmentioned above, the recording of transactions may not always occur timely or\naccurately.\n\nAnother example where the lack of an integrated financial system impacts efficiency\npertains to the recording of obligations. The FEC has improved its procurement\noperations from the prior year by converting to a web-based procurement system\nthat requires all purchase requests to be processed electronically, which alleviates\nthe duplication of entry in preparing the obligating document. However, the\nprocurement system is not integrated to the financial management system.\nTherefore, several areas for error still exist. Specifically, the obligating document is\nprovided via e-mail to the Finance Office for review and submission to the service\nprovider. Should the Procurement Office forget to send the obligating document to\nthe Finance Office, there is an increased risk that the obligation does not get\nrecorded in a timely manner or at all. Once the Finance Office receives the obligating\ndocument, they then print the document to submit the hard copy document to the\nservice provider. At this time, the FEC does not send the document to the service\nprovider electronically. Therefore, this process further increases the risk that the\nobligation may not be recorded timely or at all. Finally, once the service provider\nreceives the obligating document, they keystroke in the relevant financial information\ninto the accounting system, providing for the opportunity for an input error.\n\nHaving a single, integrated financial management system does not necessarily mean\nhaving only one software application within each agency covering all financial\nmanagement system needs. Also, it does not mean that all information is physically\nlocated in the same database. Rather, a single, integrated financial management\nsystem is a unified set of financial systems linked together electronically in an\nefficient and effective manner to provide agency-wide financial system support.\nIntegration means that the user is able to have one view into systems such that, at\nwhatever level the individual is using the system, he or she can obtain needed\ninformation efficiently and effectively through electronic means. Interfaces are\nacceptable as long as the supporting detail is maintained and accessible to\nmanagers. Interface linkages must be electronic unless the number of transactions is\nso small that it is not cost beneficial to automate the interface. Easy reconciliations\nbetween systems, where interface linkages are appropriate, must be maintained to\nensure data accuracy.\n\nWithout these systems being integrated, controls surrounding the processing,\nrecording and review of financial transactions become much more critical and require\ngreater resources to ensure completeness and accuracy. FEC management\ncontinues to place its emphasis on the compilation of the financial and performance\ndata, but due to the lack of resources it is not capable of sufficiently performing the\nreviews needed to alleviate the control risk associated with the lack of an integrated\nfinancial management system.\n\n\n\n\n                                Page 7 of 17\n\x0c          Recommendation:\n\n          10. Re-evaluate if interfacing its standalone financial management systems with the\n              service provider\xe2\x80\x99s system is feasible and/or cost effective. If not feasible and/or\n              cost effective, consider the subsystems used by the service provider\xe2\x80\x99s financial\n              management systems.\n\n          Management Response:\n\n          Management generally concurs with the finding and recommendations. As of\n          February 2008, the FEC transitioned the processing of its accounting transactions to\n          an OMB-certified line of business provider. FEC management will evaluate its stand-\n          alone financial management systems and develop a corrective action plan to\n          address the issues identified.\n\n\nThese deficiencies in internal control may adversely affect any decision by management that is\nbased, in whole or in part, on information that is inaccurate because of these deficiencies.\nUnaudited financial information reported by FEC, including budget information, also may contain\nmisstatements not prevented or detected because of these deficiencies.\n\n                               *************************************\n\n\nSIGNIFICANT DEFICIENCY\n\nII.    Information Technology (IT) (Modified Repeat Finding)\n\n       A. Commission-Wide Security Administration Needs To Be Enhanced (Repeat\n          Finding)\n\n          An entity-wide security management program should be in place to establish a\n          framework and continuing cycle of activity to manage security risks, develop security\n          policies, assign responsibilities, and monitor the adequacy of computer security\n          related controls. It should also represent the foundation for an entity\xe2\x80\x99s security control\n          structure and a reflection of senior management\xe2\x80\x99s commitment to addressing\n          security risks.\n\n          During our Fiscal Year 2008 review of FEC\xe2\x80\x99s security program, we noted that FEC\n          made progress in addressing prior years\xe2\x80\x99 findings, notably a contract was awarded\n          on September 16, 2008 to certify and accredit its major applications and general\n          support systems. Also, FEC had developed its Disaster Recovery Plan. However,\n          continued efforts are required especially in the areas of security administration and\n          oversight. Specifically, we noted that FEC had not fully implemented all security\n          procedures and standards; had not finalized and implemented an information\n          classification policy; had not finalized and implemented its certification and\n          accreditation policy. Furthermore, FEC is currently in the process of developing a\n          security plan for its Local Area Network (LAN) that incorporates the results of the\n          LAN Risk Assessment\n\n\n\n\n                                          Page 8 of 17\n\x0cOffice of Management and Budget (OMB) Circular No. A-130, Appendix III Security\nof Federal Automated Information Resources, requires agencies to implement and\nmaintain a program to assure that adequate security is provided for all agency\ninformation collected, processed, transmitted, stored, or disseminated in general\nsupport systems and major applications.\n\nWithout an effective entity-wide security program plan, FEC has an increased risk\nthat security controls are inadequate and inconsistently applied. Such conditions may\nlead to insufficient protection of sensitive data and high expenditures for controls\nover low risk resources.\n\nAt the time of this review, FEC\xe2\x80\x99s existing security program revealed weaknesses in\ncontrols that expose the FEC\xe2\x80\x99s financial management systems and data to\nunauthorized access and/or modification. Security weaknesses noted included:\n\n\xe2\x80\xa2\t FEC has not fully implemented a framework of policies and standards to mitigate\n   risks associated with the management of its information resources. Although\n   FEC has implemented the majority of its information security policies, it has not\n   fully implemented all of the related procedures and standards. FEC has not\n   finalized and implemented an information classification policy, as well as its\n   certification and accreditation policy. (Repeat Finding)\n\xe2\x80\xa2\t FEC is currently in the process of developing a security plan for its LAN that\n   incorporates the results of the LAN Risk Assessment. However, the security plan\n   is still in the development phase and has not been finalized and approved.\n   (Repeat Finding)\n\xe2\x80\xa2\t There are weaknesses in FEC\xe2\x80\x99s program for the continuous monitoring and\n   evaluation of the computer security policy and control effectiveness. FEC does\n   not utilize corrective action plans for all internal reviews of security controls.\n   (Repeat Finding)\n\xe2\x80\xa2\t Major applications and mission critical general support systems have not been\n   certified and accredited to ensure that they are operating according to FEC\xe2\x80\x99s\n   security requirements. (Repeat Finding).\n\xe2\x80\xa2\t There is currently no process in place to ensure that contractors undergo\n   background investigations before obtaining access to FEC systems or data.\n   (Repeat Finding)\n\xe2\x80\xa2\t The PeopleSoft application is currently running on an Oracle Release 8i\n   Relational Database Management System that is no longer supported by the\n   vendor. (Repeat Finding)\n\nRecommendations:\n\n11. Finalize and implement FEC\xe2\x80\x99s information classification policy and certification\n    and accreditation policy along with any accompanying standards.\n\n12. Incorporate the results of risk assessments into FEC security plans.\n\n13. Utilize corrective action plans for\t all reviews of security controls whether\n    performed internally or by a third-party.\n\n\n\n                               Page 9 of 17\n\x0c14. Certify and accredit all major applications and mission critical general support\n    systems.\n\n15. Implement a process to ensure that background investigations are performed on\n    all contractors prior to granting them access to FEC system resources.\n\n16. FEC should move all of its PeopleSoft financial processing capabilities to GSA or\n    update its existing platform to vendor-supported versions/releases.\n\nManagement Response:\n\nFEC agrees with the majority of elements within this finding. The FEC awarded a\ncontract to certify and accredit its major applications and general support systems on\nSeptember 16, 2008. On September 23, 2008 a formal Kick-Off meeting was held to\nformally begin work on the contract. Since that time the vendor has provided the\nContracting Officer Technical Representative (COTR) with an updated project plan\nthat describes how and when certification and accreditation objectives are to be\nachieved. The vendor is currently updating system characterizations and performing\na system classification for each major application and general support system. The\nCertification and Accreditation contract specifies line items to address the following\nissues identified within this finding:\n    \xe2\x80\xa2\t Finalizing and implementing a modified certification and accreditation and\n        information classification policies.\n    \xe2\x80\xa2\t Updating current security plans by incorporating the results of the recently\n        completed risk assessment.\n    \xe2\x80\xa2\t Developing a Program of Actions and Milestones to monitor and evaluate the\n        internal review of security controls.\n    \xe2\x80\xa2\t Certify and Accredit FEC major applications and general support systems.\n\nOn September 29, 2008 the Director of Human Resources addressed the issue of\ncontractor background investigations by issuing the following policy \xe2\x80\x9cthat all\ncontracting personnel from this date forward (September 29, 2008) must obtain a\nbackground investigation prior to obtaining access to FEC systems.\xe2\x80\x9d\n\nWith respect to Oracle 8i, due to legacy issues associated with some FEC\napplications the current version of Oracle 8i is required. Although the vendor no\nlonger provides support for this version of Oracle it does provide limited support\nwhich includes assisting customers with work-arounds to issues that may arise. In\naddition the FEC has built a considerable amount of experience and internal\nexpertise over the years this product has been in its inventory. In addition to its\nconsiderable experience, the FEC has tested and maintains Oracle 8i application\nand data backups allowing it to restore any databases to a usable state in the event\nof any mishap.\n\nThe FEC recognizes the risk associated with maintaining a product with limited\nsupport. Accordingly the FEC is relying upon its considerable internal expertise,\nrestricted access to only a few persons, backup and restoral capabilities and\nOracle\xe2\x80\x99s limited support as compensating factors until the application can be\nremoved from its inventory.\n\n\n\n\n                              Page 10 of 17\n\x0cB. Disaster Recovery and Continuity of Operations Plan Need to be Developed\n   (Repeat Finding)\n\n   Losing the capability to process and protect information maintained on FEC\xe2\x80\x99s\n   computer systems can significantly impact FEC\xe2\x80\x99s ability to accomplish its mission.\n   The purpose of disaster recovery and continuity of operations controls is to ensure\n   that, when unexpected events occur, critical operations continue without interruption\n   or critical operations are promptly resumed. To achieve this objective, FEC should\n   have procedures in place to protect information resources and minimize the risk of\n   unplanned interruptions and a plan to recover critical operations should interruptions\n   occur. These plans should consider activities performed at FEC\xe2\x80\x99s general support\n   facilities (e.g. FEC\xe2\x80\x99s local area network, wide area network, and telecommunications\n   facilities), as well as the activities performed by users of specific applications. To\n   determine whether the disaster recovery plans will work as intended, FEC should\n   establish and periodically test the capability to perform its functions in disaster\n   simulation exercises.\n\n   Our review of the service continuity controls identified that FEC has not developed a\n   Continuity of Operations Plan (COOP) to support the continuation of its core mission\n   in the event of a disaster or other interruption that renders the FEC\xe2\x80\x99s facilities\n   unusable. (Repeat Finding)\n\n   Recommendation:\n\n   17. Develop and implement a Disaster\t Recovery Continuity of Operations Plan\n       (COOP).\n\n   Management Response:\n\n   Management agrees with the issue presented in this finding, and in fiscal year 2008\n   implemented a multiple year three phase project plan to develop and implement a\n   FEC-Wide Continuity of Operations Plan (COOP). Phase One consisted of\n   developing an Office of Information Technology (OIT) Disaster Recovery Plan (DRP),\n   Phase Two (Kick Off Meeting September 29, 2008) consists of preparing for the\n   migration of the OIT DRP into a COOP, and Phase Three consists of implementing a\n   Commission wide COOP. Bear in mind that, Phase Three is contingent upon\n   receiving adequate funding and senior management support.\n\nC. Logical Access Control Needs to be Strengthened (Modified Repeat Finding)\n\n   Achieving an adequate level of information protection is highly dependent upon\n   consistently maintaining effective access controls, system software and configuration\n   management controls. Access controls limit and monitor access to computer\n   resources (i.e., data files, application programs, and computer-related facilities and\n   equipment) to the extent necessary to provide reasonable assurance that these\n   resources are protected against waste, loss, unauthorized modification, disclosure,\n   or misappropriation. Access controls include logical controls, such as security\n   software programs designed to prevent or detect unauthorized access to sensitive\n   files. Without proper controls, there is a risk that security features could be\n   inadvertently or deliberately omitted or "turned off" or that processing irregularities or\n   malicious code could be introduced.\n\n\n                                   Page 11 of 17\n\x0c           Our testing of internal controls identified a weakness related to the information\n           protection in FEC\xe2\x80\x99s information systems environment. These include FEC\xe2\x80\x99s midrange\n           computer systems (e.g. servers) and applications. Weaknesses noted include the\n           following:\n\n           We noted the following control weaknesses over monitoring access to FEC\xe2\x80\x99s\n           networks, systems and physical facility:\n\n                   o\t 4 out of 10 separated employees still have active network accounts; and\n                   o\t There is currently no exit clearance process in place for contractors to\n                      ensure that all FEC property is returned and all access permissions are\n                      removed.\n\n           Recommendations:\n\n           18. FEC should promptly terminate access to\t FEC resources for separated\n               employees. Procedures should be documented and implemented to coordinate\n               separations between Human Resources and IT management to ensure user\n               accounts are immediately disabled upon termination.\n\n           19. Implement an exit clearance process to track separated FEC contractors and\n               ensure that their access permissions are removed and all FEC property has been\n               returned.\n\n           Management Response:\n\n           Although the FEC has a documented process in place to terminate FEC resources\n           and collect property from separated employees and contractors, it concurs that this\n           process can be improved. To this end, the FEC has established a working group to\n           implement more stringent procedures to ensure that network access is appropriately\n           curtailed. In addition OIT will soon be implementing an automated information\n           system to better deal with the issues identified in this finding. The New FEC Access\n           System (FAS) includes processes for full time employees, interns, and contractors\n           and will eliminate the discrepancies described in this finding. FAS will track staff and\n           contractors from the start of their employment or contract at the Commission to exit\n           and allow managers to request and document changes in network and application\n           access. FAS will enable a higher degree of coordination among offices to ensure that\n           user accounts are disabled and equipment is properly returned per FEC policy. FAS\n           will retain all historical information regarding; account creation, changes to access\n           rights, system resources, and termination information regarding a particular staff or\n           contractor. FAS is now in the final testing stages and is tentatively scheduled for full\n           implementation by December 1, 2008.\n\nIII.   Other Matter\n\nAs required by OMB Bulletin No. 07-04, as amended, we compared the material weaknesses\ndisclosed during the audit with those material weaknesses reported in the FEC\xe2\x80\x99s FMFIA report\nthat relate to control over financial reporting. Our audit identified a material weakness related to\nthe financial statement preparation and reporting as reported above that was not included in the\nFEC\xe2\x80\x99s FMFIA report.\n\n\n\n                                           Page 12 of 17\n\x0cIV.    Status of Prior Year Conditions\n\nWe have reviewed the status of the FEC\xe2\x80\x99s corrective actions with respect to the findings and\nrecommendations from the prior year\xe2\x80\x99s report on internal controls. We have attached Appendix\nA to our report that presents the status of prior year findings and recommendations.\n\n\n                                 ********************************\n\nFEC\'s response to the material weakness and significant deficiency identified in our audit is\npresented within the body of our report. We did not audit the FEC\'s response and, accordingly,\nwe express no opinion on it.\n\nIn addition to the material weakness and significant deficiency described above, we noted\ncertain matters involving internal control and its operation that we reported to the management\nof the FEC in a separate letter dated November 7, 2008.\n\nThis report is intended solely for the information and use of the management of the FEC, the\nFEC Office of Inspector General, Government Accountability Office, the OMB, and the U.S.\nCongress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\n\n\nCalverton, Maryland \n\nNovember 7, 2008 \n\n\n\n\n\n                                         Page 13 of 17\n\x0c                                    APPENDIX A \n\n                          FEDERAL ELECTION COMMISSION \n\n               STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n\n                                 September 30, 2008\n\n\n PY Rec.       Condition/Audit\n                                           Recommendation                    Current Status\n   No.             Area\n                                     Material Weakness\nI.   Integrated Financial Management System\n     1.       Integrated        Assess the extent of financial            Recommendation\n              Financial         management system integration             closed.\n              Management        needed for existing systems while\n              System            outsourcing the accounting\n                                operations to a third party service\n                                provider.\n     2.       Integrated        Implement control activities to           Recommendation\n              Financial         compensate for the lack of an             open: reported in FY\n              Management        integrated financial management           2008 as a material\n              System            system and to ensure that                 weakness.\n                                accounting transactions are\n                                recorded correctly, timely reviewed\n                                and with adequate supporting\n                                documentation. Some of these\n                                controls activities should include, but\n                                not limited to:\n                                \xe2\x80\xa2 Improving preparation and\n                                    review of procurement\n                                    documents, including purchase\n                                    requests, purchase\n                                    orders/contracts, and related\n                                    supporting documentation;\n                                \xe2\x80\xa2 Improving analytical and quality\n                                    control review of journal\n                                    vouchers, reconciliations and the\n                                    financial statements, including\n                                    interim financial statements;\n                                \xe2\x80\xa2 Implementing proper and timely\n                                    cut-off controls for processing\n                                    transactions and in preparing the\n                                    financial statements to allow for\n                                    management\xe2\x80\x99s timely analysis of\n                                    financial data and for audit\n                                    purposes; and\n                                \xe2\x80\xa2 Establish a timeline for timely\n                                    receipt of completed accounts\n                                    receivable schedules by the\n                                    finance office from the program\n                                    offices.\n     3.       Integrated        Ensure that the general ledger setup      Recommendation\n              Financial         and posting model definitions are in      closed.\n              Management        compliance with the latest\n              System            transaction posting consistent with\n                                USSGL guidance and policies for\n\n                                          Page 14 of 15\n\x0c                                 APPENDIX A \n\n                       FEDERAL ELECTION COMMISSION \n\n            STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n\n                              September 30, 2008 \n\n\n PY Rec.    Condition/Audit\n                                        Recommendation                     Current Status\n   No.          Area\n                               recording and classifying\n                               transactions.\n   4.      Integrated          Provide employee training on             Recommendation\n           Financial           procurement, appropriation law,          open: reported in FY\n           Management          budget execution, and financial          2008 as a material\n           System              reporting, as applicable to ensure       weakness.\n                               financial reporting and fund control\n                               policies are consistently and\n                               accurately executed.\n   5.      Integrated          Ensure that FEC complies with            Recommendation\n           Financial           regulatory agencies\xe2\x80\x99 reporting           updated: reported in\n           Management          requirements.                            FY 2008 management\n           System                                                       letter\n                                Significant Deficiencies\nII. Information Technology\n    6.      Security           Perform risk assessments, as part of     Recommendation\n            Administration     FEC\xe2\x80\x99s overall strategy to mitigate       closed\n                               risks associated with its IT\n                               environment.\n   7.      Security            Finalize and implement FEC\xe2\x80\x99s             Recommendation\n           Administration      information classification policy and    open: reported in FY\n                               certification and accreditation policy   2008 as a significant\n                               along with any accompanying              deficiency.\n                               standards.\n   8.      Security            Incorporate the results of risk          Recommendation\n           Administration      assessments into FEC security            open: reported in FY\n                               plans.                                   2008 as a significant\n                                                                        deficiency.\n   9.      Security            Certify and accredit all major           Recommendation\n           Administration      applications and mission critical        open: reported in FY\n                               general support systems.                 2008 as a significant\n                                                                        deficiency.\n   10.     Security            Refine procedures to ensure that all     Recommendation\n           Administration      newly hired employees undergo the        closed.\n                               appropriate background                   Re-opened in FY 2008\n                               investigations commensurate with         for New Contractors\n                               the risk level of their position. FEC\n                               should also ensure these\n                               investigations are initiated within a\n                               reasonable time of employment start\n                               date.\n   11.     Disaster recovery   Perform a BIA to formally identify       Recommendation\n           & Continuity of     and prioritize all critical data and     closed\n           Operations          operations on FEC\xe2\x80\x99s networks and\n                               the resources needed to recover\n                               them if there is a major interruption\n\n\n\n                                       Page 15 of 17\n\x0c                               APPENDIX A \n\n                     FEDERAL ELECTION COMMISSION \n\n          STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n\n                            September 30, 2008 \n\n\nPY Rec.   Condition/Audit\n                                       Recommendation                    Current Status\n  No.         Area\n                              or disaster.\n 12.      Disaster recovery   Establish an alternate processing       Recommendation\n          & Continuity of     site and incorporate the results of     closed\n          Operations          the BIA into the contingency plan.\n\n 13.      Disaster recovery   Develop a comprehensive                 Recommendation\n          & Continuity of     contingency plan that incorporates      closed\n          Operations          the results of the BIA and includes\n                              the procedures and resources\n                              necessary to restore FEC systems in\n                              the event of a disaster. Ensure\n                              emergency processing priorities are\n                              established to assist in managing\n                              disaster situations, and ensure once\n                              developed, the plan is tested\n                              annually and updated based on the\n                              results of these tests.\n 14.      Disaster recovery   Develop a COOP that addresses           Recommendation\n          & Continuity of     measures and procedures to follow       open: reported in FY\n          Operations          in the event of a long-term             2008 as a significant\n                              interruption.                           deficiency.\n 15.      Logical Access,     Transfer processing to a service        Recommendation\n          System Software     provider or update existing platform    open: reported in FY\n          and Change          to vendor-supported                     2008 as a significant\n          Management          versions/releases.                      deficiency.\n          Controls\n 16.      Logical Access,     Write audit trails related to DBA       Recommendation\n          System Software     activity to Operating Systems logs      closed\n          and Change          and limit DBA\xe2\x80\x99s access to these logs.\n          Management\n          Controls\n 17.      Logical Access,     Maintain documentation to support       Recommendation\n          System Software     the testing and approval of system      closed\n          and Change          software changes.\n          Management\n          Controls\n 18.      Logical Access,     Develop additional mitigating           Recommendation\n          System Software     controls to ensure that PeopleSoft      closed\n          and Change          passwords are in agreement with\n          Management          FEC policy or ensure that if\n          Controls            PeopleSoft processing is\n                              outsourced, the third party maintains\n                              password controls that comply with\n                              FEC password policies.\n 19.      Logical Access,     Promptly terminate access to FEC        Recommendation\n          System Software     resources for separated employees.      open: reported in FY\n\n\n\n                                      Page 16 of 17\n\x0c                               APPENDIX A \n\n                     FEDERAL ELECTION COMMISSION \n\n          STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n\n                            September 30, 2008 \n\n\nPY Rec.    Condition/Audit\n                                      Recommendation                    Current Status\n  No.           Area\n          and Change         Procedures should be documented         2008 as a significant\n          Management         and implemented to coordinate           deficiency.\n          Controls           separations between Human\n                             Resources and IT management to\n                             ensure user accounts are\n                             immediately disabled upon\n                             termination.\n 20.      Logical Access,    Utilize access request forms that       Recommendation\n          System Software    identify the user\xe2\x80\x99s access level to     closed\n          and Change         document user access rights to all\n          Management         FEC systems and facilities.\n          Controls           Additionally, FEC should periodically\n                             review and recertify user access to\n                             ensure current access is\n                             commensurate with job\n                             responsibilities.\n\n\n\n\n                                    Page 17 of 17\n\x0c                 Independent Auditor\xe2\x80\x99s Report on Compliance and Other Matters\n\n\nTo the Inspector General of the\n  Federal Election Commission\n\nWe have audited the financial statements of the Federal Election Commission (FEC) as of, and\nfor the year ended September 30, 2008, and have issued our report thereon dated November 7,\n2008. We conducted our audit in accordance with the auditing standards generally accepted in\nthe United States of America; the standards applicable to financial audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States; and\nOffice of Management and Budget (OMB) Bulletin 07-04, Audit Requirements for Federal\nFinancial Statements, as amended.\n\nThe management of FEC is responsible for complying with laws and regulations, and\ngovernment-wide policies applicable to FEC. As part of obtaining reasonable assurance about\nwhether FEC\xe2\x80\x99s financial statements are free of material misstatements, we performed tests of\nFEC\xe2\x80\x99s compliance with certain provisions of laws and regulations, and government-wide\npolicies, non-compliance with which could have a direct and material effect on the determination\nof financial statement amounts and certain other laws and regulations specified in OMB Bulletin\n07-04, as amended. We limited our tests of compliance to these provisions and we did not test\ncompliance with all laws and regulations applicable to FEC. Providing an opinion on compliance\nwith certain provisions of laws and regulations, and government-wide policies was not an\nobjective of our audit, and, accordingly, we do not express such an opinion.\n\nThe results of our tests of compliance with applicable laws and regulations, and government-\nwide polices described in the preceding paragraph disclosed an instance of reportable\nnoncompliance that is required to be reported under U.S. generally accepted government\nauditing standards or OMB guidance and is described in the following paragraphs.\n\nThe Federal Managers\' Financial Integrity Act (FMFIA)\n\nThe FMFIA requires agencies to establish management controls over their programs and\nfinancial systems as stated in the following sections of the Act:\n\n\xe2\x80\xa2\t Section 2 seeks to assess internal controls necessary to ensure obligations and costs are in\n   compliance with applicable law; funds, property, and other assets are safeguarded against\n   waste, loss, unauthorized use, or misappropriation; and revenues and expenditures are\n   properly recorded and accounted for to permit the preparation of accounts and reliable\n   financial and statistical reports.\n\n\xe2\x80\xa2\t Section 4 seeks to assess nonconformance with government-wide financial systems\n   requirements.\n\n\n11710 Beltsville Drive\nSuite 300\nCalverton, MD 20705-3106\ntel: 301-931-2050\nfax: 301-931-1710                                   1\nwww.cliftoncpa.com\t                Offices in 17 states and Washington, DC\n\x0cOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, is issued under the\nauthority of the FMFIA (section 2). OMB Circular A-123 states that management is responsible\nfor establishing and maintaining internal control to achieve the objectives of effective and\nefficient operations, reliable financial reporting, and compliance with applicable laws and\nregulations. Management shall consistently apply the internal control standards to meet each of\nthe internal control objectives and to assess the internal control effectiveness.\n\nOMB Circular A-127, Financial Management Systems, offers guidance in implementing FMFIA\n(section 4). OMB Circular A-127 requires that \xe2\x80\x9cFinancial management systems shall be\ndesigned to provide for effective and efficient interrelationships between software, hardware,\npersonnel, procedures, controls, and data contained within the systems\xe2\x80\x9d.\n\nThe FEC has not fully complied with certain requirements of the FMFIA. See details in our\nIndependent Auditor\xe2\x80\x99s Report on Internal Control, Sections I and II. The key items we identified\ninclude:\n\n\xe2\x80\xa2\t Insufficient resources and personnel with appropriate Federal accounting and reporting skill\n   sets;\n\xe2\x80\xa2\t Inadequate financial statement preparation and reporting controls;\n\xe2\x80\xa2\t Financial management systems not fully integrated; and\n\xe2\x80\xa2\t Weaknesses in information technology.\n\nThis report is intended solely for the information and use of the management of FEC, FEC\nOffice of Inspector General, GAO, OMB and Congress, and is not intended to be and should not\nbe used by anyone other than these specified parties.\n\n\n\n\nCalverton, Maryland \n\nNovember 7, 2008 \n\n\n\n\n\n                                               2\n\n\x0c'